I never got around to replying to this until now, sorry.. On Mon, 4 Nov 2002, Bob Hinden wrote: > A lot of the discussion seems to imply that site-local addresses are > created automatically (like link-local). This is, of course, not the > case. Site-local are only created if someone configures a router with a > specific site-local address on an interface and tell the router to > advertise the prefix in a routing protocol to other routers and to > advertise it to hosts on the link in RAs. Site-local addresses will only > appear in a site if an administrator decided to configure them. Anyone can just blindly configure a site in one link. Not much of a site, but you can use site-locals, and you can source traffic from site-local addresses..
> It seems to me that from a reachability point of view there isn't too much > difference between using site-local addresses and having a firewall that > blocks traffic from one set of global addresses and another. Firewalls > create limited scope addresses from global addresses. Note that a third option is to use global addresses (assuming the site has them), a part of their block, but no route it externally at all. And add firewall filters besides. > If one assumes the > existence of IPv6 firewalls, then these firewalls can also enforce site > boundaries. Sure, but that is not sufficient to satisfy addr-archv3 2.5.6 last paragraph IMO. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
